Coders like to tell a joke. There are two types of people, it goes: those who have been hacked, and those who are about to be hacked.
The quip is telling: cyber attacks, from Nigerian email scams to sophisticated Chinese phishing operations, are a fact of life online. Whether you’re a teenager with a laptop or a big bank with complicated servers, you likely are not immune to hacking.
Postsecondary institutions are particularly — and increasingly — targeted by hackers, IT specialists, intelligence agencies and universities say.
Now, with cyber attacks on the rise, schools are trying to protect not only valuable research in fields like biochemistry and engineering, but the vaunted culture of openness that makes universities unique.
It’s not clear exactly how many hacking attempts Canadian universities face on any given day; few, if any, schools keep track of that number.
U.S. universities are more forthright, and if their example is any indication, the problem may be very large indeed. Bill Mellon of the University of Wisconsin said the school saw as many as 100,000 daily hacking attempts from China alone.
Whatever the figure, most Canadian universities agree that the number of serious hacking attempts is growing.
“The sophistication of the attacks is increasing, and the number of attackers,” said Jason Testart, director of information security services at University of Waterloo.
“We are seeing increases in the attempts to get into our systems,” said McMaster University spokesperson Andrea Farquhar. “Some of those are very determined. I don’t think we’re alone in that.”
McMaster recently doubled the number of employees focused on cyber security from two to four to combat the growing wave of attacks.
But universities are often coy, if not downright secretive, about hacking.
The University of Toronto turned down an interview request, instead sending general answers by email. McMaster refused to let their IT specialists speak to the Star. McGill University declined several requests for comment over the course of months.
When they did talk about the issue, most schools were reluctant to disclose what sorts of research was targeted by hackers, or whether the attacks had been successful.
“You’re laying out your vulnerabilities, potentially” by talking about what is targeted, said Lori MacMullen, executive director of the Canadian University Council of Chief Information Officers.
U of T’s information security director, Martin Loeffler, was more blunt.
“As such information might encourage or facilitate attacks against the university, we don’t disclose data on successful or unsuccessful attacks,” he said in an email.
Often, it’s simply impossible to tell whether research or student information has been compromised or stolen. For one thing, when a hacker steals research, unlike when a carjacker steals a BMW, they can leave the original intact.
And hackers often take pains to avoid being detected.
“They aren’t the sort of people who would go into a university network, steal it and then publicize it,” said Ronald Deibert, a cyber-security researcher at U of T.
That means it’s often impossible to tell something as basic as the country where a hacking attempt originated.
Sometimes hacks come from botnets, fleets of computers on the Internet deployed by a puppet master. Cyber-security staff at universities can find themselves playing whack-a-mole with IP addresses from around the world.
“Let’s say they’re looking for a specific vulnerability — one minute you’re seeing traffic from Germany, the next minute, anywhere: China, South Africa, Japan, the U.S.,” said Waterloo’s Testart.
It is occasionally possible to trace the origin of cyber attacks, however, and American schools say that certain countries are associated with particular types of online theft.
“Typically, Russian intrusions have targeted personally identifiable information . . . used for identity theft,” said Tracy Mitrano, director of IT policy at Cornell University in Ithaca, N.Y. Chinese hackers, meanwhile, tend to probe for engineering and biochemistry research.
Canadian schools conduct sensitive, marketable research, too, of course. In 2010, the last year with available data, Canadian universities were granted 398 patents.
Hackers have taken note, according to CSIS, the spy agency.
“Because Canada is a leader in many areas of science and technology, Canadian research institutions — public and private — make for attractive targets,” CSIS spokesperson Tahera Mufti wrote in an email. “Cyber attackers and other hostile actors are always looking to steal intellectual property, often to give foreign companies a competitive edge over Canadian ones.”
Mitrano said hackers target a wide range of scientific research, “Everything from semiconductor performance to the physical ware in computers, to any software, in biology — my goodness — genomics, medical research.”
Sometimes the targets are less ambitious: Testart said he had detected Chinese scholars trying to infiltrate Waterloo’s network to access academic journal subscriptions. “They’re looking for usernames and passwords,” he said.
Despite the growing volume of hacks aimed at universities, many of them are reluctant to concede that the online threats faced by post-secondary schools are unique.
“The Internet threats we face are really no different from any other organization — they’re trying to get at data,” said Testart.
But the wide-open, diffuse nature of universities makes them harder to protect against hackers than corporations or government agencies.
Unlike a bank, say, universities are comprised of thousands of faculty and students logging on to the school’s servers with laptops from coffee shops or their living rooms.
That means hackers can infiltrate any one of those IP addresses and burrow into university networks when the user logs on.
“You’re only as good as your weakest link, and the hackers try to identify that weakest link,” said Sumon Acharjee, chief information officer at Sheridan College.
In that way, the sheer size of universities can be a liability. “If you’re in the Skydome and it’s full, you have a better chance of pickpocketing than if you’re in a park and there are only a couple of people,” Acharjee said.
What’s more, not only do universities’ own members provide “on-ramps” for hackers, so do academics around the world collaborating with their counterparts in Canada.
“If you get a researcher who is doing research on energy or agriculture, any kind of research, they’re sitting on your campus and doing their research, but they’re collaborating with researchers all over the world,” said MacMullen. “So they’re collecting data, sharing data, they’re moving data back and forth and doing all kinds of wonderful things.”
For research to go smoothly, she said, “you may need to allow researchers from another university access to your network.”
Government ministries, for example, can erect firewalls that prevent employees or outside users from accessing their networks unless the computer is in a government office. Universities couldn’t do that without thwarting the kind of information sharing that’s at the core of their mission.
That natural porousness means that some of the people charged with patrolling universities’ digital borders have learned to accept a degree of risk.
“There are so many threats, you can’t get 100 per cent of everything,” said Waterloo’s Testart. “There might be something that’ll slip through your defences. You can’t build Fort Knox.”
(By Eric Andrew-Gee)